Security
7450 ESS System Mangement Guide Page 47
Applicability of Distributed CPU Protection
dist-cpu-protection (DCP) policies can be applicable to the following types of objects:
• most types of SAPs, including capture SAPs and SAPs on pseudo wires, but it is not
applicable to b-vpls saps (b-saps).
• Network Interfaces, but not to any other type of interface. A DCP policy can be
configured at the interface sap instead.
Control packets that are both forwarded (which means they could be subject to normal QoS
policy policing) and also copied for extraction are not subject to Distributed CPU Protection
(including in the all-unspecified bucket). This includes traffic snooping (for example, PIM in
VPLS) as well as control traffic that is flooded in an R-VPLS instance and also extracted to
the CPM such as ARP, ISIS and VRRP. Centralized per SAP/interface cpu-protection can be
employed to rate limit or mark this traffic if desired.
Control traffic that arrives on a network interface, but inside a tunnel (for example, SDP, LSP,
PW) and logically terminates on a service (that is, traffic that is logically extracted by the
service rather than the network interface layer itself) will bypass the DCP function. The
control packets in this case will not be subject to the DCP policy that is assigned to the
network interface on which the packets arrived. This helps to avoid customer traffic in a
service from impacting other services or the operator’s infrastructure.
Control packets that are extracted in a vprn service, where the packets arrived into the node
via a vpls SAP (that is, r-vpls scenario), will use the DCP policy and policer instances
associated with the vpls SAP. In this case the DCP policy that an operator creates for use on
VPLS SAPs, for VPLSs that have a l3-interface bound to them (r-vpls), may have protocols
like OSPF, ARP, configured in the policy.
To Next Page
Loading...
